Description of Microsoft Shares Information On Post-compromise
If you scan an infected Exchange server, you should look for traces of multiple attacks, Microsoft warns.
Many on-premises Exchange servers were able to apply the fixes, but Microsoft reveals that its investigations show that there are multiple threats lurking on already compromised systems.
The tech giant is sounding the alarm about possible attacks targeting already compromised Exchange servers, especially if attackers used web shell scripts to gain persistence on a server, or if the attacker stole credentials in previous attacks.
Patches do not necessarily remove attacker access
Microsoft released fixes for Exchange systems on March 2. Four Exchange bugs were already under attack by a group of hackers called Hafnium.
Earlier this week, Microsoft announced that 92% of vulnerable Exchange servers had been patched or that protective measures had been applied. However, cyber security company F-Secure says “tens of thousands” of Exchange servers have already been compromised.
In a new blog post, Microsoft reiterates its warning: "Applying fixes to a system does not necessarily remove attacker access."
Least privilege rule
"Many compromised systems have not yet been the subject of a secondary action, such as a ransom ware attack or data infiltration, indicating that attackers could establish and maintain their access for potential future actions. The Microsoft 365 Defender Threat Intelligence team explains in a blog post.
When systems are compromised, Microsoft urges administrators to apply the principle of least privilege and limit lateral movement on the network. The principle of least privilege will help resolve situations where an Exchange service or scheduled task has been configured with an elevated privilege account to perform tasks like backups.
"As the service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial access due to virus detection, as the account can be used to elevate privileges. Thereafter,”notes Microsoft.
Beware of ransom ware
Using DoejoCrypt ransom ware, aka Dear Cry, as an example , Microsoft notes that the web shells used by this malware strain write a batch file to C: \ Windows \ Temp \ xx.bat. This file has been found on all systems affected by DoejoCrypt and may offer the attacker a way to regain access to where infections were detected and removed.
"This batch file performs a backup of the Security Account Manager (SAM) database and System and Security registry keys, allowing attackers to later access passwords of local users on the system and, more critically, in the LSA [Local Security Authority] Secrets part of the registry, where the passwords for services and scheduled tasks are stored,”Microsoft notes.
Even when victims have not been ransomed, the attacker's use of the xx.bat file allows them to explore a network through the web shell that dropped the file in the first place. The web shell also downloads the Cobalt Strike penetration test kit before downloading the ransom ware payload and encrypting the files. In other words, the victim may not have been ransomed today, but the attacker left the necessary tools on the network to do so tomorrow.
The other cybercriminal threat to Exchange servers comes from malicious crypto currency miners. The Lemon Duck crypto currency bonnet has been observed exploiting vulnerable Exchange servers. Interestingly, the Lemon Duck operators cleaned up an Exchange server using the xx.bat file and a web shell, to ensure they had exclusive access to the Exchange server.
Microsoft has also found it to be used to install other malware rather than just mining crypto currency.
Microsoft has published numerous Indicators of Compromise that defenders can use to check for the presence of these threats and signs of credential theft.